Fix cred process expiration #303
Conversation
The Expiration field conveyed the wrong value. It's changed to be the same value that's used in aws-okta exec.
|
@reegnz what are the practical side effects you've been seeing? |
|
What I've been noticing is that the timestamp returned by the cred process was not correctly represent the expiration of the credentials. I assume this broke the SDK credential refresh mechanism that actually runs cred-process before the expiration timestamp is reached. |
|
How I built around the faulty cred-process expiration up until now is to build my own cred-process script with bash utilizing aws-okta exec, and using the environment variables with jq to construct the correct json response. |
|
One of the remaining issues that still needs to be fixed: When the SDK recognizes that the Expiration is approaching, it tries to refresh the token. aws-okta however sees that the token has not expired yet, returning the old token that's about to be expired. |
|
Did dig a bit in aws-okta code further, just to make sure I was right with the SDK expiration. Turns out this fix will be good enough. The Expiration comes from the AssumeRole that is performed when there's a source_profile in the config, so the expiry is now handled by the SDK correctly. My initial assumption for looking into this came from how aws-vault does it: there it caches the AssumeRole credentials as well, so it makes the SDK credential refresh more difficult. Here we don't have that issue present. :) |
|
Super, thanks for the digging. FWIW, given #278, there's a certain point where a fix becomes complex enough that I couldn't justify accepting it. It might be worth it for you to invest your time in the fork at https://github.com/aws-okta/aws-okta, though I'm not seeing a lot of movement there. |
This reverts commit 90c0192.
* Revert "disable github releases (currently broken) (segmentio#305)" This reverts commit b5cad3b. * Revert "Added Ubuntu 2020 (Focal) to Makefile.release (segmentio#304)" This reverts commit ac21803. * Revert "Fix cred process expiration (segmentio#303)" This reverts commit 90c0192. * Revert "Update issue templates" This reverts commit 9e17974. * Revert "Calculate OktaClient Content-Length correctly (segmentio#300)" This reverts commit e93f247.
* Calculate OktaClient Content-Length correctly (segmentio#300) Fixes: segmentio#298 * Update issue templates * Fix cred process expiration (segmentio#303) * Added Ubuntu 2020 (Focal) to Makefile.release (segmentio#304) * disable github releases (currently broken) (segmentio#305) Co-authored-by: Will Gardner <[email protected]> Co-authored-by: Nick Irvine <[email protected]> Co-authored-by: Zoltán Reegn <[email protected]> Co-authored-by: Yossi Eliaz <[email protected]>
* Calculate OktaClient Content-Length correctly (segmentio#300) Fixes: segmentio#298 * Update issue templates * Fix cred process expiration (segmentio#303) * Added Ubuntu 2020 (Focal) to Makefile.release (segmentio#304) * disable github releases (currently broken) (segmentio#305) * Update AWS Go SDK To v1.25.35 (segmentio#307) Fixes STS regional endpoint support. * Add STS Regional Endpoint Support To Other STS Clients (segmentio#308) * Update keyring to v1.1.6 (segmentio#309) Recent versions of kwallet have removed the old support for the kde4 compatible kwallet dbus interface. This means newer kde5 based OS installs (e.g. kubuntu 20.04) can no longer use the kwallet backend with aws-okta. This was fixed upstream in the keyring lib back in 2019 but the dependency hasn't been bumped since then. Co-authored-by: Will Gardner <[email protected]> Co-authored-by: Nick Irvine <[email protected]> Co-authored-by: Zoltán Reegn <[email protected]> Co-authored-by: Yossi Eliaz <[email protected]> Co-authored-by: Andrew Babichev <[email protected]>
The Expiration field conveyed the wrong value. It's changed to be the
same value that's used in aws-okta exec.